Comments (6)
orlp
commented on June 10, 2024
I'm too busy right now to look into this in detail.
However, I can say that when I added ed25519_add_scalar it was only intended for keypair generation. One such usage is to generate a keypair with a provably random public key - this has uses in p2p protocols. It was never intended to be used after you've signed stuff with a keypair, and I didn't study its security at all.
from ed25519.
MentalCollatz
commented on June 10, 2024
The attack also works if you use the same base key to generate multiple keypairs, even if you never sign anything with the base key. I can submit a pull request if you're busy.
from ed25519.
Codewyvern
commented on June 10, 2024
Please submit one :) this indeed sounds like a serious issue.
from ed25519.
orlp
commented on June 10, 2024
Reviewing a pull request is not much less work than making it myself - I have to audit it regardless.
from ed25519.
orlp
commented on June 10, 2024
Sorry for the late response, this fell off my map for a while.
After some more thinking I believe this attack to be legitimate, and your solution seems so as well. It never applied to my use case (where every keypair is only added to once, and is never used before being added to), but I can see legitimate use cases where this becomes an issue.
I will implement the fix in a moment.
from ed25519.
orlp
commented on June 10, 2024
Fixed with 09ec167.
from ed25519.
Related Issues (17)
- Get public key (and seed) from private key HOT 3
- ed25519_sign() is significantly different from current libsodium/SUPERCOP ref10 implementations (and generates incompatible output) HOT 5
- Possible issues regarding signed to unsigned conversions. HOT 3
- Some patches before deletion of fork branches
- Secret key generation HOT 1
- Multisig HOT 1
- Why private_key 64 bits? HOT 1
- ed25519 decode / decompress
- ed25519_add_scalar and DH key exchange
- why private_key + 32 in sign.c HOT 1
- ed25519 private key should be 32 bytes long. HOT 2
- ⚠️ Caution when using this library: The private keys are incompatible with other ed25519 implementations. HOT 2
- ge_madd and ge_add difference HOT 1
- Inconsistent signature results HOT 1
- vcpkg release ; request to use `#include <ed25519/`
- 2nd hexadecimal number of private key
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ed25519.